From 366250d6009a093ad8843a3721148aad7b45b291 Mon Sep 17 00:00:00 2001
From: Jonathan Bell <jonathan@raspberrypi.com>
Date: Tue, 25 Oct 2022 10:50:10 +0100
Subject: [PATCH] drivers: usb: dwc_otg: fix reference passing when
 checking bandwidth

The pointer (struct usb_host_endpoint *)->hcpriv should contain a
reference to dwc_otg_qh_t if the driver has already seen a URB submitted
to this endpoint.

It then checks whether the qh exists and is already in a schedule in
order to decide whether to allocate periodic bandwidth or not. Passing a
pointer to an offset inside of struct usb_host_endpoint instead of just
the pointer means it dereferences bogus addresses.

Rationalise (delete) a variable while we're at it.

See https://github.com/raspberrypi/linux/issues/5189

Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
---
 drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
+++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_linux.c
@@ -807,7 +807,6 @@ static int dwc_otg_urb_enqueue(struct us
 	struct usb_host_endpoint *ep = urb->ep;
 #endif
 	dwc_irqflags_t irqflags;
-        void **ref_ep_hcpriv = &ep->hcpriv;
 	dwc_otg_hcd_t *dwc_otg_hcd = hcd_to_dwc_otg_hcd(hcd);
 	dwc_otg_hcd_urb_t *dwc_otg_urb;
 	int i;
@@ -824,7 +823,7 @@ static int dwc_otg_urb_enqueue(struct us
 	if ((usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
 	    || (usb_pipetype(urb->pipe) == PIPE_INTERRUPT)) {
 		if (!dwc_otg_hcd_is_bandwidth_allocated
-		    (dwc_otg_hcd, ref_ep_hcpriv)) {
+		    (dwc_otg_hcd, ep->hcpriv)) {
 			alloc_bandwidth = 1;
 		}
 	}
@@ -910,13 +909,12 @@ static int dwc_otg_urb_enqueue(struct us
 #endif
 	{
 		retval = dwc_otg_hcd_urb_enqueue(dwc_otg_hcd, dwc_otg_urb,
-						/*(dwc_otg_qh_t **)*/
-						ref_ep_hcpriv, 1);
+						&ep->hcpriv, 1);
 		if (0 == retval) {
 			if (alloc_bandwidth) {
 				allocate_bus_bandwidth(hcd,
 						dwc_otg_hcd_get_ep_bandwidth(
-							dwc_otg_hcd, *ref_ep_hcpriv),
+							dwc_otg_hcd, ep->hcpriv),
 						urb);
 			}
 		} else {
